• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

ColdFusion 2021 and outdated Tomcat

Community Beginner ,
May 04, 2023 May 04, 2023

Copy link to clipboard

Copied

Our company has completed a security review of ColdFusion 2021 update 4 and found it is using an outdated version of Tomcat (9.0.60). Does anyone know if Adobe will be updating Tomcat to the latest version (9.0.74)?

Views

493

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 05, 2023 May 05, 2023

Copy link to clipboard

Copied

Good question.

You should put in a Feature Request. If you do, you might want to include the link to the list of Tomcat vulnerabilities.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 05, 2023 May 05, 2023

Copy link to clipboard

Copied

My answer would be: yes, they always do eventually offer an update which updates the Tomcat. But the problem is we don't know when, and it has sometimes lingered for over a year. Also, sadly, we can't update it ourselves, as it's a custom implementation of tomcat. 

 

What's one to do?

 

1) Well, as bkbk said you can file a  bug report (or add a vote to one already created).

 

2) Another option is to run cf atop a Tomcat that you implement yourself, deploying cf as a war file. That's an option offered on running the cf installer (to create that war file), or it can be created from within the cf admin, package mgt section. This war file can be deployed in tomcat or any Java app server. (Lucee also offers this deployment option of running it as a war file.)

 

Unfortunately, running such a CF war in production requires a license--and Adobe currently ptevents running as a war if a CF Standard license key is implemented. This is also why Commandbox cannot run cf with a Standard license. I do really wish Adobe would lift that limitation, for both reasons. 

 

Running cf (or lucee) via a war file does entail learning use of aspects of tomcat that normally hidden from those who run cf the "normal" way. Also, various config folders are in quite different locations, which challenges using traditional help resources (written and human). But desperate times call for desperate measures, and I wanted to clarify this is an option.

 

3) Finally, some folks simply present the situation to their security folks and seek an exception while awaiting Adobe to finally implement the update.

 

Hope that's a little more clarifying for you, even if more conciliatory than comforting. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 12, 2023 May 12, 2023

Copy link to clipboard

Copied

I raised a bug the same day I added this conversatioin. However, I can not see it so I raised a Feature request. I encourage people to vote for it: CF-4217860

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 12, 2023 May 12, 2023

Copy link to clipboard

Copied

Voted. 🙂

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 12, 2023 May 12, 2023

Copy link to clipboard

Copied

You missed a chance to ask them to provide a way that we could update tomcat... even if only to updates within the Tomcat version currently running within cf.

 

As for your missing bug report, are you saying that when you view the front page of the tracker site (which lists all your submissions) you see this one but not that one?

 

Anyway, I'll add a vote and a comment about this and what I said above. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 26, 2023 May 26, 2023

Copy link to clipboard

Copied

LATEST

I'll add that at least CF2023 (the final release) now comes (initially) with 9.0.72. Still not 9.0.75 or 74, but a step in the right direction. 

 

Again, time will tell when a CF2021 update may update the Tomcat in CF2021 beyond the 9.0.60 in update 6 (as I write, which last changed in update 4).

 

I've added this comment to the tracker ticket...but sadly we've heard not a word from Adobe or anyone else.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation